Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

src: make debugger listen on 127.0.0.1 by default #8106

Merged
merged 1 commit into from
Aug 23, 2016

Conversation

bnoordhuis
Copy link
Member

@bnoordhuis bnoordhuis commented Aug 15, 2016

Commit 2272052 ("net: bind to :: TCP address by default") from
April 2014 seems to have accidentally changed the default listen
address from 127.0.0.1 to 0.0.0.0, a.k.a. the "any" address.

From a security viewpoint it's undesirable to accept debug agent
connections from anywhere so let's change that back. Users can
override the default with the --debug=<host>:<port> switch.

Fixes: #8081

CI: https://ci.nodejs.org/job/node-test-pull-request/3670/

@bnoordhuis bnoordhuis added c++ Issues and PRs that require attention from people who are familiar with C++. debugger semver-major PRs that contain breaking changes and should be released in the next major version. lib / src Issues and PRs related to general changes in the lib or src directory. labels Aug 15, 2016
@bnoordhuis
Copy link
Member Author

Fix for platforms where binding to 127.0.0.2 doesn't work: https://ci.nodejs.org/job/node-test-pull-request/3671/

@jasnell
Copy link
Member

jasnell commented Aug 15, 2016

@indutny

LGTM

@bnoordhuis
Copy link
Member Author

Commit 2272052 ("net: bind to `::` TCP address by default") from
April 2014 seems to have accidentally changed the default listen
address from 127.0.0.1 to 0.0.0.0, a.k.a. the "any" address.

From a security viewpoint it's undesirable to accept debug agent
connections from anywhere so let's change that back.  Users can
override the default with the `--debug=<host>:<port>` switch.

Fixes: nodejs#8081
PR-URL: nodejs#8106
Reviewed-By: James M Snell <jasnell@gmail.com>
@bnoordhuis bnoordhuis closed this Aug 23, 2016
@bnoordhuis bnoordhuis deleted the fix8081 branch August 23, 2016 19:12
@bnoordhuis bnoordhuis merged commit 8e7cbe2 into nodejs:master Aug 23, 2016
@gibfahn gibfahn mentioned this pull request Jun 15, 2017
3 tasks
rvagg added a commit that referenced this pull request Nov 28, 2018
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * Node.js: Debugger port 5858 listens on any interface by default
    (CVE-2018-12120)
  * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
  * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
  * Node.js: Hostname spoofing in URL parser for javascript protocol
    (CVE-2018-12123)
  * Node.js: HTTP request splitting (CVE-2018-12116)
  * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
  * OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication
    (CVE-2018-5407)

Notable Changes:

* debugger: Backport of #8106 to
  prevent the debugger from listening on `0.0.0.0`. It now defaults to
  `127.0.0.1`. Reported by Ben Noordhuis. (CVE-2018-12120 / Ben Noordhuis).
* deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
* http:
  * Headers received by HTTP servers must not exceed 8192 bytes in total to
    prevent possible Denial of Service attacks. Reported by Trevor Norris.
    (CVE-2018-12121 / Matteo Collina)
  * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
    value can be adjusted with `server.headersTimeout`. Where headers are not
    completely received within this period, the socket is destroyed on the next
    received chunk. In conjunction with `server.setTimeout()`, this aids in
    protecting against excessive resource retention and possible Denial of
    Service. Reported by Jan Maybach (liebdich.com).
    (CVE-2018-12122 / Matteo Collina)
  * Two-byte characters are now strictly disallowed for the `path` option in
    HTTP client requests. Paths containing characters outside of the range
    `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior
    can be reverted if necessary by supplying the
    `--security-revert=CVE-2018-12116` command line argument (this is not
    recommended). Reported as security concern for Node.js 6 and 8 by
    Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno
    Fünfstück applied to Node.js 10 and later.
    (CVE-2018-12116 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing
  URLs with `url.parse()` with the `'javascript:'` protocol. Reported by
  Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)

PR-URL: nodejs-private/node-private#153
refack pushed a commit to refack/node that referenced this pull request Jan 14, 2019
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * Node.js: Debugger port 5858 listens on any interface by default
    (CVE-2018-12120)
  * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
  * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
  * Node.js: Hostname spoofing in URL parser for javascript protocol
    (CVE-2018-12123)
  * Node.js: HTTP request splitting (CVE-2018-12116)
  * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
  * OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication
    (CVE-2018-5407)

Notable Changes:

* debugger: Backport of nodejs#8106 to
  prevent the debugger from listening on `0.0.0.0`. It now defaults to
  `127.0.0.1`. Reported by Ben Noordhuis. (CVE-2018-12120 / Ben Noordhuis).
* deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
* http:
  * Headers received by HTTP servers must not exceed 8192 bytes in total to
    prevent possible Denial of Service attacks. Reported by Trevor Norris.
    (CVE-2018-12121 / Matteo Collina)
  * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
    value can be adjusted with `server.headersTimeout`. Where headers are not
    completely received within this period, the socket is destroyed on the next
    received chunk. In conjunction with `server.setTimeout()`, this aids in
    protecting against excessive resource retention and possible Denial of
    Service. Reported by Jan Maybach (liebdich.com).
    (CVE-2018-12122 / Matteo Collina)
  * Two-byte characters are now strictly disallowed for the `path` option in
    HTTP client requests. Paths containing characters outside of the range
    `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior
    can be reverted if necessary by supplying the
    `--security-revert=CVE-2018-12116` command line argument (this is not
    recommended). Reported as security concern for Node.js 6 and 8 by
    Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno
    Fünfstück applied to Node.js 10 and later.
    (CVE-2018-12116 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing
  URLs with `url.parse()` with the `'javascript:'` protocol. Reported by
  Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/153
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. semver-major PRs that contain breaking changes and should be released in the next major version.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants